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We consider the recent relativistic bit commitment protocol introduced by Lunghi et al 
[Phys. Rev. Lett. 2015] and present a new security analysis against classical attacks. In particu¬ 
lar, while the initial complexity of the protocol scaled double-exponentially with the commitment 
time, our analysis shows that the correct dependence is only linear. This has dramatic implications 
in terms of implementation: in particular, the commitment time can easily be made arbitrarily long, 
by only requiring both parties to communicate classically and perform efficient classical computa¬ 
tion. 


Over the last decades, which witnessed the rapid ex¬ 
pansion of quantum information, a new trend has devel¬ 
oped: trying to obtain security guarantees based solely 
on the laws of physics. Perhaps the most compelling ex¬ 
ample is quantum key distribution mm where two dis¬ 
tant parties can exploit quantum theory to extract un¬ 
conditionally secure keys provided that they have access 
to an untrusted quantum channel and an authenticated 
classical channel. However, many cryptographic applica¬ 
tions cannot be obtained only with secure key distribu¬ 
tion. One important example is two-party cryptography, 
which deals with the setting where Alice and Bob want to 
perform a cryptographic task but do not trust each other. 
This is in contrast with key distribution where Alice and 
Bob cooperate and fight against a possible eavesdropper. 

Two-party cryptography has numerous applications, 
ranging from authentication to distributed cryptography 
in the cloud. These protocols are usually separated into 
building blocks, called primitives. One of the most stud¬ 
ied primitives is bit commitment, which often gives a 
strong indication of whether two-party cryptography is 
possible or not in a given model. For example, there 
are many constructions of bit commitment protocols un¬ 
der computational assumptions Hi]. It is then natural 
to ask whether quantum theory can provide security for 
two-party cryptographic primitives such as bit commit¬ 
ment or oblivious transfer. A general no-go theorem was 
proved in 1996 by Mayers and Lo-Chau BISI- Several 
attempts were made to circumvent this impossibility re¬ 
sult by limiting the storage possibilities of the cheating 
party Huni. An alternative approach to obtain secure 
primitives, pioneered by Kent m , consists in combining 
quantum theory with special relativity, more precisely 
with the physical principle that information cannot prop¬ 
agate faster than the speed of light. This has opened the 
way to new, secure, bit commitment protocols [mm, 
with the caveat that the commitment time is not arbi¬ 
trary long in general but depends on the physical distance 
between the parties or on the number of parties involved. 

A major open question of the field is therefore to design 
a secure practical bit commitment protocol, for which 
the commitment time can be increased arbitrarily at a 
reasonable cost in terms of implementation complexity. 
In this paper, we examine a protocol due to Lunghi et 
al. US]: which is itself adapted from based on an earlier 


proposal of Simard ini- In their recent breakthrough pa¬ 
per, Lunghi et al. showed that it was possible to extend 
the commitment time by using a multi round generaliza¬ 
tion of the Simard protocol, and established its security 
against classical adversaries. Unfortunately, the required 
resources scale double exponentially with the commit¬ 
ment time, making the protocol impractical for realistic 
applications. For instance, with the optimal configura¬ 
tion on Earth (meaning that each party has agents oc¬ 
cupying antipodal locations on Earth), the commitment 
time is limited to less than a second. Here, we provide 
a new security analysis establishing that the dependence 
is in fact linear, provided that the dishonest player is 
classical. This implies that arbitrary long commitment 
times can be achieved even if both parties are only a 
few kilometers apart. We first present the relativistic bit 
commitment scheme studied by Lunghi et al. and we will 
then establish its security. 

The Lunghi et al. protocol. — We first recall the 
protocol as well as the security definitions used and tim¬ 
ing constraints. Both players, Alice and Bob, have agents 
Ai,A2 and Bi,B2 present at two spatial locations 1 
and 2. Let us consider the case where Alice makes the 
commitment. The protocol (followed by honest players) 
consists of 4 phases: preparation, commit, sustain and 
reveal. The sustain phase is itself composed of many 
rounds, and each such round involves a pair of agents 
(alternating between locations 1 and 2) referred to as the 
active players. Overall the bit commitment protocol goes 
as follows. 

1. Preparation phase: Ai,A2 (resp. Bi,B2) share k 
random numbers oi,...,Ofc (resp. bi,... ,bk) G Fg, 
for even k. Here, 9 is a prime power p" for some 
prime p and refers to the Galois field of order q. 

2. Commit phase: Bi sends bi to Ai, who returns 
yi = ai + (d*bi) where d G {0,1} is the committed 
bit. 

3. Sustain phase: at round i, active Bob sends bi G F^ 
to active Alice, who returns rji = Oi + (a^-i *bi). 

4. Reveal phase: Ai reveals d and ak to Bi. Bi checks 
that ak=yk + (ofc-i * bAj. 

Here, -I- and * refer to the field addition and multiplica¬ 
tion in Fq. 
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Security definition. — We follow the definitions of 
Ref. [H]. The security requirements differ in the case of 
honest Alice and honest Bob. In the former case, Bob 
should not be able to guess the committed value right 
before the reveal phase. The protocol should therefore 
be hiding, and it will actually be perfectly hiding here, 
meaning that Bob cannot guess the committed bit value 
better than with a random guess. Security for honest 
Bob is defined differently: the protocol should be binding, 
meaning that Alice should not be able to decide the value 
of the committed bit after the commit phase. We follow 
the standard definition for bit commitment (also used in 
CH). Let pd the probability that the Alice successfully 
reveals bit value d. We say that the protocol is e-binding 
if Po + Pi < 1 + £■ 

Timing constraints for the protocol. — The two 

pairs and [A2,B2) are at a certain distance d. 

At each round j, there is an active (Alice, Bob) pair that 
performs the protocol while the other, passive, pair waits. 
At the end of round j, they switch roles and perform 
round J -f 1. 

We require that round j finishes before any informa¬ 
tion about bj-i reaches the other Alice. For any j, we 
therefore have the following : active Alice has no infor¬ 
mation about bj-i. This means that yj is independent 
of bj-i. This will be crucial in order to show security of 
the protocol. 

Distance d 



Our result. — Our main contribution is to present an 
improved security proof for this protocol. In particular, 
this allows for implementations of this protocol that last 
for an (almost) arbitrary amount of time while the pre¬ 
vious implementations were only secure for (much less 
than) a second |lti| . 

In order to prove the security of the protocol, we 
present an inductive argument on the number of rounds 
of the protocol and show that at each round, the cheat¬ 
ing parameter for Alice increases by at most 
where N is the number of transmitted bits per round. In¬ 
terestingly, the proof involves the study of CHSHg, which 
is a generalization of the CHSH game in the field F^. 
Lunghi et al. also studied an extension of the CHSHg 
game, which they called “Number on the Forehead game”. 
However, their security proof quickly becomes inefficient 
as the number of rounds increases. 

The CHSHq game.— A crucial tool of our secu¬ 
rity proof is the analysis of the CHSH^ game introduced 
by Buhrman and Massar [ 18 ]. This game is a natural 
generalisation of the CHSH game to the field F^, where 
two non-communicating parties, Alice and Bob, are each 


given an input x and y chosen uniformly at random from 
Fq, and must output two numbers a,b S F^. They win 
the game whenever the condition a + b = x*y is sat¬ 
isfied. The CHSHq game has been much less studied in 
the litterature nadHiiis] than its (J = 2 variant (see pO] 
for a recent review on nonlocality). A recent result by 
Bravarian and Shor mi establishes rather tight bounds 
on the classical and quantum values of the CHSHq game. 
In particular, for prime or odd power of prime q , one 
has: 

w(CHSHq) = 0(g-^/2-eo)^ a;*(CHSHq) < 

9 V ^ 

for some absolute constant Eq > 0. 

These results hold only for a uniform input distribu¬ 
tion. In order to use our inductive technique, we need to 
bound the value of this game for unbalanced inputs. It 
appears that the result of Bavarian and Shor doesn’t eas¬ 
ily extend to this setting. We therefore developed new 
proof techniques that are based on using non-signaling 
constraints for the study of classical strategies. 

Let us consider a family of games, denoted by 
CHSHq (p), where games are parametrized by the prob¬ 
ability distribution {Px}xe¥q for Alice’s input x satis¬ 
fying the constraint maxxPx "£ P- For these games, 
Bob’s input distribution is uniform over Fq. In partic¬ 
ular, CHSHq(l/( 7 ) = {CHSHq}. The special case with 
q = 2 was considered in m where the following results 
are proved: 

u;(CHSH2(p)) = ( 1 +p)/ 2 , 

u;*(CHSH2(p)) < (1 + Vp2 + (l-p)2)/2. 

Note that for q = 2 , Alice’s input distribution is entirely 
determined by the value of p. In order to prove upper 
bounds on the value of games in CHSHq (p), we show that 
if Alice and Bob can win such a game with high probabil¬ 
ity then Alice has a method to obtain some information 
about Bob’s input, something that is prohibited by the 
non-signaling principle. This technique doesn’t directly 
extend to the quantum setting because Alice’s method 
requires her to perform her game strategy for different 
inputs, which could disturb the underlying shared entan¬ 
gled state. 

Our main technical result is an upper bound on the 
classical value for games in CHSHq (p). 

Lemma 1. For any game G S CHSHq (p), we have 

^{G) <p + (1) 

Proof. Fix a game G G CHSHq (p). As usual, the classical 
value of the game can always be achieved with a deter¬ 
ministic strategy, meaning that without loss of generality, 
Alice and Bob’s strategies can be modeled by functions 
/ and g, namely: a = f{x) and b = g{y). Define the vari¬ 
able rf equal to 1 if f{x) + g{y) = x *y and 0 otherwise. 
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Our proof is by contradiction: if w(G) is too large, 
then Alice could use her box to obtain some informa¬ 
tion about y, which is prohibited by non signaling. More 
precisely, consider the following strategy for Alice: pick 
a random pair of distinct inputs cc, x' according to the 
distribution , be- with probability pxp'^/D where 

D = PxPx’ output the guess y for y defined by 

y = {f{x) — f{x')) * {x — x')~^. Denote by Sy the prob¬ 
ability of correctly guessing the value y. Non signaling 
imposes that lE^ [5”^] = 1 /q, since the value y is uniformly 
distributed in Fg. 

On the other hand, we note that if the game G is won 
for both inputs {x,y) and {x',y), then Alice’s strategy 
outputs the correct value for y. Indeed, winning the game 
implies that f{x) — f{x') = {x—x')*y and therefore y = y. 
One immediately obtains a lower bound on Sy'. 

P^^xPxrl> > P^^lP'xrl" 

x^x' x^x' 

Consider the quantity = YlxPx'^t- It satisfies: 

{ujyf < ^pl{rlf+2Sy = Y^{pxfrl+2Sy < pu}'>+2sy, 


where we used that (px)^ < (maxx{px}) Px < PPx- This 
implies that 


^ ^p -k \Jp‘^ + 8Sy'^ <p + a/^, 

where the last inequality results from the concavity of 
the square-root function. 

Finally, uj{G) = ]Ey[u;^] by definition, and therefore: 

U}{G) "£ P + 2Wly[^fSy\ < P + 'j2\j^y\Sy\ < P + \/2 j Q, 

which concludes the proof. □ 

Security of the protocol. — The perfect hiding prop¬ 
erty of this protocol has already been discussed in m- 
Indeed, at any point before the reveal phase, the Bobs 
have no information about the committed bit d. Our 
main contribution is the following binding property of 
this protocol. 

Theorem 1. This relativistic bit commitment scheme is 
£-binding with e < 2k where k is the number of rounds 
used in the protocol. 

Proof. We present here the main elements of the proof. 
The technical details can be found in the Appendix. Let 
us fix a cheating strategy for Alice, which consists of the 
messages yj that het agents will send depending on the 
current history and the bit d she wants to decommit to. 
During the reveal phase, Alice successfully reveals d if Ai 
sends the correct Ok to Bob. For a fixed cheating strat¬ 
egy, Ok is a function oi d,bi,... Ak- However, during the 


reveal phase, Ai has no information about bk. There¬ 
fore, Ai will not be able to reveal Ok if it has too much 
dependence in bk on average on d . We show that this is 
indeed the case. 

Let Pj the maximal probability that the passive play¬ 
ers guesses Oj, given d. We have by definition 

Pk + Pk = ^ 

In order to prove our statement, we show the following: 

• P? + Pl <1 + 2 ^^!. 

• For any d and j, P^ < Pf_i + 

To prove the first point, the idea is to reduce Af^ 
strategy for guessing oi into a strategy for CHSHq(l/2). 
Ai receives bi and outputs yi which is independent of 
d. A 2 knows d and outputs ai. A 2 outputs the correct 
oi when ai yi = d * bi. For an average d, this can 
happen with probability at most CHSHg(l/2) < 5 + 
Therefore, we have 


i (po + Pi) < CHSH,(l/2) <1 + ^^ 

which gives the desired result. The idea here is to reduce 
passive Alice’s strategy for guessing m to a strategy for 
winning CHSHq(l/2). 

Similarly, fix a round j and d. We can reduce passive 
Alice’s strategy for guessing Oj to a strategy for winning 
CHSHg(Pj^_j^). Indeed, active Alice knows bj and outputs 
yj. Passive Alice knows Uj-i and outputs a guess aj. She 
outputs the correct value if and only if Oj -\-yj = bj *aj_i. 

This corresponds to an instance of CHSH^ where bj G 
Fq is random and where active Alice (we consider here 
active Alice at round j, which is the passive Alice at 
round j — 1) can guess Uj-i with probability P^_i. This 
means that we can reduce passive Alice’s strategy for 
guessing Oj to a strategy for winniM a certain game in 
CHSHg(Pj^_^). Using Proposition we obtain P^ < 

Pj-i + Putting all this together, we can conclude 

that po + P^ = l + 2k^. □ 

Experimental perspectives and open 
questions. — Let us discuss the security of the 
protocol in realistic conditions. Theorem shows that 
m = e^fqj2 rounds can be performed for a given level of 
security e. In particular, if the distance between AijBi 
and A 2 IB 2 is d, then the commitment can be sustained 
for a time 


T = {d/c) ea/^, 

where c is the speed of light. In particular, provided 
that 1 /e^, the commitment time can be made arbi¬ 
trary long. For instance, taking 128 bits of security, i.e. 
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e = 2-128 and q = gives T « 3- 10i2(d/c), that is ap¬ 
proximately 30 years for a distance d = 100 km. In this 
example, the messages sent at each round only consist of 
340 bits. 

It is also possible to reduce the distance between Ai/B\ 
and A 2 IB 2 , at the condition that both the computation 
time and the communication time between Ai and Bi 
remains negligible compared to d/c. This is necessary to 
enforce the non-signaling condition of the CHSHg game. 
For instance, if the computation time is on the order of 
the microsecond, then d should be at least 300 meters. 

Let us conclude by mentioning a few open questions. 
Certainly the most pressing one concerns the security of 
the protocol against quantum adversaries. A first step in 
that direction would be to obtain tight upper bounds on 
the entangled value w* of games in CHSHg(p). Another 


outstanding problem is whether the bit-commitment pro¬ 
tocol of m can be used to obtain an protocol for 
Oblivious-Transfer |^. In particular, this would pave 
the way for arbitrary two-party cryptography with se¬ 
curity based on the non-signaling principle. Finally, it 
would be particularly interesting to understand whether 
2 agents are indeed necessary for each player, or whether 
the second agent could for instance be replaced by as¬ 
suming that the spatial positions of Alice and Bob are 
known. 

Note added. — In an independent and concurrent 
work, Fehr and Fillinger |23| proved a general composi¬ 
tion theorem for two-prover commitments which implies 
a similar bound on the security of the Lunghi et al. pro¬ 
tocol than the one derived here. 
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Appendix A: Detailed proof of Theorem 

In this Appendix, we give a formal proof of Theorem We consider the case of a cheating Alice. At round j, 
active Alice receives a string bj G F, and sends back a message yj. From the relativistic constraints, we know that 
this message yj is totally independent of bj-i. We can therefore view yj as a function of d, 6 i,. .., bj-2, bj. We also 
recursively define the functions aj = yj + (bj * Uj-i), with ag = d. These are functions of d,bi,... ,bj. 

Note that if Alice’s performs a probabilistic cheating strategy, her success probability will be the average of the 
success probabilities for each possible strategy she performs. It is therefore sufficient to bound Alice’s cheating 
probability over all deterministic strategies. Let us then consider a deterministic cheating strategy for Alice: it is fully 
determined by the functions yj, as well as a function G(d, bi,..., bk-i) that Ai uses to guess ak during the reveal 
phase. Alice successfully reveals d iff [G{d, bi,..., bk-i) = ak(d, 6 i, ..., bk)]- Therefore, we have 


1 + e = Pr[Alice successfully reveals d = 0] + Pr[Alice successfully reveals d = 1] 

= Pr [G{0,bi,...,bk-i) = ak(0,bi,...,bk)]+ Pr G{l,bi,... ,bk-i) = ak{l,bi,... ,bk)] 

bi,...,bk bi,...,bk 

= 2 Pr [G(d, 6i,...,5fe_i) =afc(d,6i,...,6 fc)]. 

d,bi,...,bk 

Intuitively, Alice will be able to win if the function ak is independent of bk, on average on d and the other bi. We 
will prove that ak has some large dependence on bk, which will limit Alice’s cheating possibilities. We will actually 
show by induction that for each j, the function aj has some large dependency on bj. 

We define the independence parameter of function / for a variable y as follows : 

Definition 1 (Independence parameter of a variable on a function). Let f : X x y ^ Z be a function. The 
Independence Parameter of f for variable y Gy, denoted by IP(f\\y), is defined by 


IPifl\y) ■= max [Pi„^y [f{x, y) = ^(a:)]], (Al) 

g-.X^Z 

where we use the uniform measure on X x 

By definition, the case IP(f\\y) = 1 corresponds to a function / independent of y. If IP(f\\y) < 1, then the 
function / depends on y. The definition of the independence parameter immediately yields 1 + e = 2IP(ak\\bk), and 
our goal is therefore to obtain a tight upper bound for IP(ak\\bk). 

We prove the following : 

Proposition 1. Vj, IP(aj\\bj) < ^ d- j\l\- 

Proof. We prove the proposition by induction on j. 

Let us first consider the base case: 

/P(ai|| 6 i)= max Pr[ai(d,&i)=g(d)] (A2) 

g:¥g^¥g d,bi 

where bi is uniformly distributed in Fg and d is equal to either 0 or 1, each with probability 1/2. Let g the function that 
maximizes the above expression, which gives IP{ai\\bi) — Pr^^^^ [ai(d, &i) = g{d)]. We write ai{d, bi) = yi{bi) + (bi*d) 
for some function yi. We now use the functions g and yi to construct a strategy for a game G G CHSHq(l/2). We 
consider the following game between two players Adeline and Bastian : 

• Adeline receives a random element X G Fq. Bastian receives an element Y G Fq which is equal to 0 with 
probability 1/2 and 1 with probability 1 / 2 . 

• Their goal is to respectively output A and B in Fg such that A + B = X . 

The above game is in CHSHg(l/2). Intuitively, we mapped Ai to Adeline and A 2 to Bastian, where the input X 
corresponds to hi and the input Y corresponds to d. 

We consider the following strategy for this game: Adeline outputs A = yi(X) and Bastian outputs B = —g(Y). 
They win the game iff yi{X) — g(Y) = X *Y. Therefore, we have 

uj{G) > Pr^[yi{X) - g(Y) = X*Y]= Pi^[ai{Y, X) + (A * P) - g{Y) = (X * P)] 

= Pi^[ai{Y,X) = g{Y)] = IP(ai\\bi). 
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Combining this lower bound on the value oj{G) of the game with Lemma applied to C? S CHSH^(l/2) gives 
IP{ai\\b,)<oj{G)<^- 


, which establishes the base case. 


We now move to the induction step and assume that IP{aj\\bj) < 5 + j\ -■ Let us fix h := {d, 61 ,, bj-i) the 


history before time j. Let us define the independence parameter conditioned on the history h: 


IPiaj+i\\bj+if = max Pr [aj+i{h,bj,bj+i) = gj+i{bj)]. 

bj,bj+i 


Averaging over h gives back the independence parameter: IP{aj+i\\bj+i) = Eft,[/P(aj+i|| 6 j+i)^]. We write 
aj+i{h^bj,bj+i) = + {bj+i * aj{h,bj)). Notice that the dependence in bj of the function aj+i{h,bj,bj+i) 

lies only in the function aj{h, bj). Therefore, we can write 

IP{aj+i\\bj+i)^ = max Pr [aj+i{h,bj,bj+i) = gj+i{aj{h,bj))]. 

gj + i:F,-)-F, bj,bj + i 


Let be the function that maximizes the expression: 

IP{aj+i\\bj+i)^ = Pr [aj+i{h,bj,bj+i) = gj+i{aj{h,bj))]. 

bj ,bj + i 


We now use the functions yj_^_^ and gj_^^ to construct a strategy for a game G CHSHg(/P(aj|| 6 j)^). We 

consider the following game between two players Adeline and Bastian : 

• Adeline receives a random element X G Fg. Bastian receives an element Y G Fq such that Pr[F = c] = 
Pr&,K(^,&j) = c]. 

• Their goal is to respectively output A and B in Fg such that A + B = X 

Intuitively, we mapped the active Alice (during round j + 1) to Adeline and the passive Alice to Bastian, where the 
input X corresponds to 6^+1 and the input Y corresponds to aj. Recall that the active Alice has no information about 
bj during step j + 1. Therefore, she can determine aj with probability at most: IP{aj\\bj)^ := max^Pr;,^. [(ijih, bj) = c]. 

This shows that the above game is in CHSHq(/P(aj||&j)^). 

We consider the following strategy for this game: Adeline outputs A = y^_^_^{X) and Bastian outputs B = —gj^i{Y). 
They win the game iff yj^i{X) — gj^i{Y) = A * F, which implies that 

a;(G^+i) > Pr [y^i(A) - g'^+,{Y) = X *Y] 

Ji. 1 J 

= Pr [yj^i{X) — gj^i{aj{h, bj)) = X * aj{h, bj)] where the distribution over both X and bj is uniform 

X,bj 

= ^l[aj+i{h,bj,X) + {aj{h,bj) * X) - g^^^{aj{bj)) = {X * aj{h,bj))] 

•jbJ 

= Pr [aj+i{h,bj,X) = g^^^{aj{h,bj))\ 

Ji. ,bj 

= IPia,+^\\bg+^)\ 

Moreover, Lemma 0 shows that uj{Gjj_i) < IP{aj\\bj)^ + since the game G belongs to CHSHq(/P(aj|| 6 j)^). 
Combining both inequalities gives: 




(A3) 


In order to conclude, notice that IP{aj\\bj) — Eh[IP{aj\\bj)^] and IP{aj+i\\bjj.i) = Eh[IP{aj+i\\bjj.i)^]. Taking 


the expectation of Eq. |A3| over the history h finally gives: 

IP{aj+i\\bjj^i) ='Kh[IP{ajj.i\\bjj^i) ] < E/j IP{aj\\bj) + 


= IP{aj\\bj) 


2 1. 
,<2+0 + I) 


Proposition 1 implies that /P(afc|| 6 fe) = k + and the discussion at the beginning of the appendix allows 


to conclude that the protocol is e-binding with e = 2k 


□ 


us 




